Date: Fri, 25 Oct 2013 18:13:32 +0200 From: =?ISO-8859-1?Q?Olivier_Cochard=2DLabb=E9?= <olivier@cochard.me> To: VANHULLEBUS Yvan <vanhu@freebsd.org> Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: Re: Can't configure a simple IPSec (manual SA/SP) Message-ID: <CA%2Bq%2BTcrX%2Bs8FqE=dSwBUDkFnq_rMMBmb1cvRDS7uMgj8qfxHUw@mail.gmail.com> In-Reply-To: <20131025133517.GA5588@zeninc.net> References: <CA%2Bq%2BTcqJwNXPOEWeh_FcnLu5KE7cyU7e1h2Q4dc==8D441nRWA@mail.gmail.com> <20131025133517.GA5588@zeninc.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Oct 25, 2013 at 3:35 PM, VANHULLEBUS Yvan <vanhu@freebsd.org> wrote= : > Do you use some bridging configuration ? Do you have some kind of > filtering/NAT rules ? Some complex routing tables ? No bridging, no firewall, no complex routing: the IPSec gate Fhave only one default gateway. > > > Can you send the output (on your IPsec gate) of: > sysctl -a net.inet.ip.fastforwarding [root@R2]~# sysctl -a net.inet.ip.fastforwarding net.inet.ip.fastforwarding: 1 I didn't understand why you ask me the status of the fastforwarding: Then I've disabled it, and re-try my IPsec configuration=85 Problem solved ! I've found the notice regarding fastforwarding being not compatible with IPSec in the inet(4) man page: I was not aware of this compatibility issue. I've proposed a little improvement on the rc.d/ipsec script for checking the fastforwarding state : PR/183303. Thanks a lot's Yvan !!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2Bq%2BTcrX%2Bs8FqE=dSwBUDkFnq_rMMBmb1cvRDS7uMgj8qfxHUw>